{
  "threat_severity" : "Important",
  "public_date" : "2025-10-01T00:00:00Z",
  "bugzilla" : {
    "description" : "django: Potential partial directory-traversal via archive.extract()",
    "id" : "2400450",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2400450"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-22",
  "details" : [ "An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the \"startapp --template\" and \"startproject --template\" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.", "A flaw was found in Django. The django.utils.archive.extract() function, used by startapp --templateand startproject --template, allowed partial directory-traversal via an archive with file paths sharing a common prefix with the target directory." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "release_date" : "2025-10-22T00:00:00Z",
    "advisory" : "RHSA-2025:18979",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "python3.11-django-0:4.2.25-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "release_date" : "2025-10-22T00:00:00Z",
    "advisory" : "RHSA-2025:18984",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "ansible-automation-platform-25/lightspeed-rhel8:2.5.250924-2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
    "release_date" : "2025-10-22T00:00:00Z",
    "advisory" : "RHSA-2025:18979",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
    "package" : "python3.11-django-0:4.2.25-1.el9ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
    "release_date" : "2025-10-28T00:00:00Z",
    "advisory" : "RHSA-2025:19201",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
    "package" : "python3.11-django-0:4.2.25-1.el9ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.6",
    "release_date" : "2025-10-28T00:00:00Z",
    "advisory" : "RHSA-2025:19221",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
    "package" : "ansible-automation-platform-26/lightspeed-rhel9:sha256:1bbb8bdf4e4245579b74a0c8a80bf85849866a286b91f053292f48a08f65d80d"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.6",
    "release_date" : "2025-12-15T00:00:00Z",
    "advisory" : "RHSA-2025:23196",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9",
    "package" : "ansible-automation-platform-tech-preview/ansible-devspaces-rhel9:sha256:020f49ce6da38f7ea894297143c18f6b1fa6a6986a9ef78d33f6e359a24e35b9"
  }, {
    "product_name" : "Red Hat Discovery 2",
    "release_date" : "2026-01-08T00:00:00Z",
    "advisory" : "RHSA-2026:0414",
    "cpe" : "cpe:/a:redhat:discovery:2::el9",
    "package" : "discovery/discovery-server-rhel9:sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-cni-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-must-gather-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-pilot-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Affected",
    "package_name" : "openshift-service-mesh/istio-proxyv2-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-rhel9-operator",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-sail-operator-bundle",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh-tech-preview/istio-ztunnel-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-24/lightspeed-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-25/ansible-dev-tools-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "automation-controller",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Certification for Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:certifications:1::el7"
  }, {
    "product_name" : "Red Hat Discovery 1",
    "fix_state" : "Not affected",
    "package_name" : "discovery/discovery-server-rhel9",
    "cpe" : "cpe:/a:redhat:discovery:1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Not affected",
    "package_name" : "python-django20",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.1",
    "fix_state" : "Not affected",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:openstack:17.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 18.0",
    "fix_state" : "Not affected",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:openstack:18.0"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Will not fix",
    "package_name" : "satellite-capsule:el8/python-django",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Update Infrastructure 4 for Cloud Providers",
    "fix_state" : "Not affected",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:rhui:4::el8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-59682\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59682" ],
  "name" : "CVE-2025-59682",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}